The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consists in blocking this API endpoint on the Tomcat side by forcing it to return a 403 error.
The steps are:
- Add to the file <jira-installation-directory>/atlassian-jira/WEB-INF/urlrewrite.xml the rule below, which will return a 403 error whenever someone who is not authenticated via Cookie (IE, normal browser access, or cookie based API calls) calls /rest/api/latest/groupuserpicker:
- Re-start Jira